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Quick  Reaction  Test:  Host-Based  Security  System 

Timothy  K.  Holmes 

Joint  Interoperability  Test  Command,  Indian  Head,  Maryland 

Cesar  E.  Pie 

Cyber  Security  Research  and  Solutions  Corporation,  La  Plata,  Maryland 

Under  the  leadership  and  shared  vision  of  the  United  States  Strategic  Command,  the  Defense 
Information  Systems  Agency  (DISA)  Mission  Assurance/Network  Operations  Program 
Executive  Office,  the  DISA  Joint  Interoperability  Test  Command,  and  other  Department 
stakeholders,  the  Department  of  Defense  has  successfully  orchestrated  a  Global  Information 
Grid— wide  initiative  in  support  of  the  institutionalization  of  the  Host-Based  Security  System 
throughout  the  Department  of  Defense.  The  scope  of  the  Host-Based  Security  System  deployment 
will  be  worldwide.  This  vast  effort  requires  a  large  support  infrastructure  to  be  in  place  and  a 
rigorous  testing  project  that  will  help  expedite  the  fielding  of  its  unique  capabilities. 

Key  words:  Computer  network  defense;  computer  system  security;  cyber-threat;  intrusion 
detection;  intmsion  prevention. 


The  Host-Based  Security  System 
(HBSS)  baseline  is  a  flexible.  Com¬ 
mercial-  Off- The-  Shelf  (COTS)  -based 
application.  It  monitors,  detects,  and 
counters  known  cyber-threats  to  the 
Department  of  Defense  (DoD)  Enterprise.  Under  the 
sponsorship  of  the  Enterprise-wide  Information  As¬ 
surance  and  computer  Network  Defense  Solutions 
Steering  Group  (ESSG),  the  HBSS  solution  will  be 
attached  to  each  host  (i.e.,  server,  desktop,  and  laptop)  in 
DoD.  The  system  will  be  managed  by  local  administra¬ 
tors  and  configured  to  address  known  exploit  traffic  using 
an  intmsion  prevention  system  (IPS)  and  host  firewall. 
The  Defense  Information  Systems  Agency  (DISA) 
Program  Executive  Office  Mission  Assurance  and 
Network  Operations  (PEO-MA)  is  providing  the 
program  management  and  supporting  the  deployment 
of  this  solution. 

Joint  test  approach 

Under  the  auspices  of  the  Joint  Test  and  Evaluation 
Program,  the  HBSS  Quick  Reaction  Test  (QRT)  project 
is  focused  to  develop  tactics,  techniques,  and  procedures 
(TTP)  and  concepts  of  operations  (CONOPS)  in 
support  of  HBSS  operations.  The  QRT  has  taken  a 
joint  approach  (as  well  as  assessment  practices,  principles, 
and  strategies  used  in  previous  Bulwark  Defender 
exercises)  to  test  formal  and  informal  HBSS  configura¬ 
tion  policies  across  the  Global  Information  Grid  (GIG) 


and  to  develop  DoD-specific  protection  level  basehnes  to 
address  the  required  level  of  security  needed  by  the 
Department.  These  configuration  baselines  will  provide 
GIG  network  defenders  with  documented  TTP  and 
CQNGPS  for  the  employment,  implementation,  and 
operation  of  the  HBSS  throughout  DoD  (enhancing  the 
warfighter’s  ability  and  capabilities  to  protect,  monitor, 
detect,  analyze,  diagnose,  and  respond  to  cyber  threats). 
The  United  States  Strategic  Command  (USSTRAT- 
CQM)  through  United  States  Cyber  Command  (US- 
CYBERCGM)  has  instmcted  the  potential  use  of  the 
QRT  test  results  in  upcoming  Qperational  Plans 
(QPLANS)  and  will  require  implementation  of  HBSS 
TTP  recommendations  by  their  DoD  Network  Qpera- 
tions  (NetQps)  Combatant  Commands/Services/ Agen¬ 
cies  (CC/S/A)  via  Fragmentary  Qrders  (FRAGQ)  and/ 
or  Command  Task  Qrders  (CTQ). 

The  HBSS  QRT  test  approach  is  based  on  the  proven 
Joint  Interoperability  Test  Command  (JITC)  Informa¬ 
tion  Assurance/Computer  Network  Defense  (lA/CND) 
attack-based  methodology.  Much  like  a  typical  war  game 
exercise,  the  JITC  approach  uses  a  red  attack/blue  defend 
construct.  The  concept  is  red  attacking  along  defined 
attack  vectors,  aligned  with  an  anatomy  of  an  attack  with 
detailed  scenarios  based  on  the  latest  Joint  Task  Force- 
Global  Network  Qperations  (JTF-GNQ)  J2  observed 
threats.  Blue  will  use  the  full  range  of  people,  processes, 
and  technologies  available  to  defend  against  red.  Each 
attack  and  defend  activity  is  controlled,  measured,  and 
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correlated,  with  analysis  focusing  on  the  most  effective 
and  suitable  scenario  as  it  relates  to  the  warfighter’s 
mission.  The  operational  threat  environment  replicated 
by  the  threat  team  will  aim  to  target  second  and  third 
generation  threats,  as  defined  in  the  Chairman  of  the 
Joint  Chiefs  of  Staff  Instruction  (CJCSI)  6510.01E.  This 
is  the  replication  of  non-state-sponsored  groups  utilizing 
common  tools  in  a  sophisticated  manner  and  the 
replication  of  state-sponsored  groups  utilizing  a  combi¬ 
nation  of  common  and  uncommon  hacker  tools  and 
techniques  in  a  sophisticated  manner  with  unlimited 
resources. 

As  prioritized  by  USSTRATCOM,  every  recom¬ 
mended  scenario  event  has  been  mapped  to  its 
corresponding  class  of  attack  (i.e.,  passive,  active,  insider, 
distribution,  and  close-in)  and  three  of  seven  stages  of  an 
anatomy  of  attack  (i.e.,  gaining  access,  escalation  of 
privilege,  maintaining  access).  To  support  the  develop¬ 
ment  of  attack  scenarios,  the  JITC  created  the  HESS 
QRT  Threat  Team  Working  Group  (TTWG)  to 
identify,  coordinate,  and  validate  the  selected  scenarios. 
The  scenarios  were  created  by  the  U.S.  Air  Force  and 
DISA  Field  Security  Officer  and  reviewed  by  the 
National  Security  Agency.  The  JITC,  in  coordination 
with  the  TTWG,  wiU  continue  to  add  increasingly 
sophisticated  scenarios  over  the  life  of  the  QRT  to 
render  the  best  possible  HESS  configurations  and  TTP. 

Test  concept  and  measures 

As  part  of  each  QRT  event,  the  threat  team  wiU  render 
a  series  of  increasingly  sophisticated  attacks.  The  blue 
defenders  wUl  implement  a  series  of  candidate  configu¬ 
rations  of  TTP  in  an  attempt  to  counter  the  threat.  The 
test  concept  wUl  measure  the  relative  performance  of 
these  candidate  configurations  and  TTPs  to  identify  the 
best  candidate.  The  measures  the  QRT  wiU  use  are  taken 
from  the  Qffice  of  the  Secretary  of  Defense  (QSD) 
Director,  Qperational  Test  and  Evaluation  Core  Metrics 
Manual  for  Qperational  Assessments  of  Information 
Assurance  and  InteroperabUity  (DQT&E  Core  Metrics 
Manual).  This  manual  contains  the  performance-based 
metrics  used  in  the  DQTScE-sponsored  assessments  of 
lA/CND  during  Combatant  Command  (CQCGM) 
exercises.  The  DGT&E  Core  Metrics  Manual  defines 
the  performance  measures  and  metrics,  the  data  elements, 
and  the  analysis  method,  along  with  associated  data 
coUection  forms.  This  Manual  has  been  applied  to  a 
variety  of  CQCGM  exercises,  including  Eulwark 
Defender,  to  measure  the  operational  performance  of 
the  CGCQM’s  lA/CND  capability.  The  metrics  are 
proven,  accepted  by  aU  GTAs,  weU  understood,  and  wUl 
yield  the  exact  performance-based  criteria  needed  by  the 
HESS  QRT  to  determine  the  most  effective  configura¬ 
tions  and  TTPs. 


Conclusion 

The  HESS  QRT  wiU  be  accomplished  in  two 
spirals;  each  spiral  will  consist  of  a  set  of  two  lab-based 
events  and  conclude  with  an  operational  test  that 
includes  the  participation  of  both  U.S.  Pacific 
Command  and  U.S.  Strategic  Command.  The  HESS 
QRT  was  directed  on  January  6,  2010,  with  an 
expected  performance  period  ending  January  5,  2011. 
Upcoming  HESS  QRT  events  wiU  allow  the  warfight¬ 
er  to  establish  best  practices  and  obtain  lessons  learned. 
The  HESS  QRT  wiU  provide  results  that  will 
undoubtedly  expand  the  warfighter’s  capability  to 
protect,  detect,  diagnose,  and  react  to  cyber  threats 
using  effective  configurations  and  improved  TTPs.  □ 
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